procmail
[Top] [All Lists]

Re: Help! Need to use procmail to fight dangerous security exploit

1998-08-02 20:16:58
After a few hours of testing with procmail at the unix
commandline, here's something that appears to work, and will
probably end up on my web page.  A running commentary is
given at the end of this message.  Note that the first match
line, and both formail lines are long and will be folded on
your screen...

########################################################
MIME_EXPLOIT=0

:0HB
*()\/^Content-Disposition:.*filename=...................................................................
{
  :0f
  | formail -A "X-Reject: File attachment name greater than 63
characters" -A "X-Suspicious-Line: $MATCH"

  MIME_EXPLOIT=1
}

:0BH
* ^Content-Disposition:.*filename=.*([^"]|\\\")$
{
  :0f
  | formail -A "X-Reject: Content-Disposition: header not
terminated with an unescaped quote" -A "X-Suspicious-Line: $MATCH"

  :0
  *$ $MIME_EXPLOIT^0
  *  1^0
  { MIME_EXPLOIT=$= }
}

:0
*$ $MIME_EXPLOIT^0
junkmail

########################################################

  Initialize variable MIME_EXPLOIT to zero.  1st recipe checks
for a blatant long filename.  If found
  - an X-Reject: header will be inserted...
  - an X-Suspicious-Line: header will be inserted, along
    with the beginning of the suapicious line
  - MIME_EXPLOIT will be set to 1

  The 2nd recipe checks for "stealth" long filenames.  If
Content-Disposition: is not terminated with a quote or if
it's terminated with an *ESCAPED* quote, (same difference)
then it can be continued on the following line to give a
long filename.  If such a condition is found...
  - an X-Reject: header will be inserted...
  - an X-Suspicious-Line: header will be inserted, along
    with the beginning of the suapicious line
  - MIME_EXPLOIT will be incremented by 1

  Finally, check if MIME_EXPLOIT > 0.  If so, dump the email
to the junkmail file.

  I hope to have this up on my SpamDunk Project webpage
later today (Sunday).

-- 
Walter Dnes <waltdnes(_at_)interlog(_dot_)com> procmail spamfilter
http://www.interlog.com/~waltdnes/spamdunk/spamdunk.htm
Why a fiscal conservative opposes Toronto 2008 OWE-lympics
http://www.interlog.com/~waltdnes/owe-lympics/owe-lympics.htm